Spring-security - httponlycookie into existing jwt intergration?

Question

I have been told it is insecure to just use JWT without HttpOnly cookie when using a seperate frontend-service.

As suggested here:

http://cryto.net/~joepie91/blog/2016/06/19/stop-using-jwt-for-sessions-part-2-why-your-solution-doesnt-work/

HttpOnly Cookie: https://www.ictshore.com/ict-basics/httponly-cookie/

I currently have a working JWT system so i'm trying to upgrade this to support the cookie implementation.

I firstly changed my SecurityConfiguration to the following:

    private final UserDetailsService uds;
    private final PasswordEncoder bcpe;

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(uds).passwordEncoder(bcpe);
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.cors().and().csrf().disable();
        http.addFilter(new CustomAuthenticationFilter(authenticationManagerBean()));
        http.addFilterBefore(new CustomAuthorizationFilter(), UsernamePasswordAuthenticationFilter.class);
        http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            .and().logout().deleteCookies(CustomAuthorizationFilter.COOKIE_NAME)
            .and().authorizeRequests().antMatchers("/login/**", "/User/refreshToken", "/User/add").permitAll()
            .and().authorizeRequests().antMatchers(GET, "/**").hasAnyAuthority("STUDENT")
            .anyRequest().authenticated();
    }

    @Bean
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception{ // NO FUCKING IDEA WHAT THIS DOES
        return super.authenticationManagerBean();
    }

From here I am trying to insert the actual cookie implementation into my CustomAuthorizationFilter:

public class CustomAuthorizationFilter extends OncePerRequestFilter { // INTERCEPTS EVERY REQUEST

    public static final String COOKIE_NAME = "auth_by_cookie";

    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {

        if(request.getServletPath().equals("/login") || request.getServletPath().equals("/User/refreshToken/**")){ // DO NOTHING IF LOGGING IN OR REFRESHING TOKEN
            filterChain.doFilter(request,response);
        }
        else{
            String authorizationHeader = request.getHeader(AUTHORIZATION);
            if(authorizationHeader != null && authorizationHeader.startsWith("Bearer ")){
                try {
                    String token = authorizationHeader.substring("Bearer ".length());
                    //NEEDS SECURE AND ENCRYPTED vvvvvvv
                    Algorithm algorithm = Algorithm.HMAC256("secret".getBytes());

                    JWTVerifier verifier = JWT.require(algorithm).build(); // USING AUTH0
                    DecodedJWT decodedJWT = verifier.verify(token);
                    String email = decodedJWT.getSubject(); // GETS EMAIL
                    String[] roles = decodedJWT.getClaim("roles").asArray(String.class);
                    Collection<SimpleGrantedAuthority> authorities = new ArrayList<>();
                    stream(roles).forEach(role -> {  authorities.add(new SimpleGrantedAuthority(role)); });
                    UsernamePasswordAuthenticationToken authToken = new UsernamePasswordAuthenticationToken(email, null, authorities);
                    SecurityContextHolder.getContext().setAuthentication(authToken);
                    filterChain.doFilter(request, response);
                }

                catch (Exception e){
                    response.setHeader("error" , e.getMessage() );
                    response.setStatus(FORBIDDEN.value());
                    Map<String, String> error = new HashMap<>();
                    error.put("error_message", e.getMessage());
                    response.setContentType(APPLICATION_JSON_VALUE);
                    new ObjectMapper().writeValue(response.getOutputStream(), error);
                }
            }
            else{ filterChain.doFilter(request, response); }
        }
    }
}

What I don't know is where to insert the cookie reading & where to wrap it. Does it wrap around the JWT?

I did see this implementation:

public class CookieAuthenticationFilter extends OncePerRequestFilter {

    public static final String COOKIE_NAME = "auth_by_cookie";

    @Override
    protected void doFilterInternal(HttpServletRequest httpServletRequest,
                                    HttpServletResponse httpServletResponse,
                                    FilterChain filterChain) throws ServletException, IOException {
        Optional<Cookie> cookieAuth = Stream.of(Optional.ofNullable(httpServletRequest.getCookies()).orElse(new Cookie[0]))
                .filter(cookie -> COOKIE_NAME.equals(cookie.getName()))
                .findFirst();

        if (cookieAuth.isPresent()) {
            SecurityContextHolder.getContext().setAuthentication(
                    new PreAuthenticatedAuthenticationToken(cookieAuth.get().getValue(), null));
        }

        filterChain.doFilter(httpServletRequest, httpServletResponse);
    }
}

Though this mentions its the "authenticationFilter", I do have an authentication filter though it is less comparable to this CookieAuthenticationFilter than CustomAuthorizationFilter:

public class CustomAuthenticationFilter extends UsernamePasswordAuthenticationFilter {

    private final AuthenticationManager authManager;
    public CustomAuthenticationFilter authManagerFilter;
    private UserService userService;

    @Override // THIS OVERRIDES THE DEFAULT SPRING SECURITY IMPLEMENTATION
    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
        String email = request.getParameter("email");
        String password = request.getParameter("password");
        UsernamePasswordAuthenticationToken authToken = new UsernamePasswordAuthenticationToken(email, password);
        return authManager.authenticate(authToken);
    }

    @Override
    protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authentication) throws IOException, ServletException {
        // SPRING SECURITY BUILT IN USER
        User springUserDetails = (User) authentication.getPrincipal();

        // NEEDS SECURE AND ENCRYPTED vvvvvvv
        Algorithm algorithm = Algorithm.HMAC256("secret".getBytes()); // THIS IS USING AUTH0 DEPENDENCY
        String access_token = JWT.create()
                .withSubject(springUserDetails.getUsername())
                .withExpiresAt(new Date(System.currentTimeMillis() + 120 * 60 * 1000)) // this should be 2 hours
                .withIssuer(request.getRequestURI().toString())
                .withClaim("roles", springUserDetails.getAuthorities()
                        .stream()
                        .map(GrantedAuthority::getAuthority)
                        .collect(Collectors.toList()))
                .sign(algorithm);

        String refresh_token = JWT.create()
                .withSubject(springUserDetails.getUsername())
                .withExpiresAt(new Date(System.currentTimeMillis() + 120 * 60 * 1000)) // this should be 2 hours
                .withIssuer(request.getRequestURI().toString())
                .withClaim("roles", springUserDetails.getAuthorities()
                        .stream()
                        .map(GrantedAuthority::getAuthority)
                        .collect(Collectors.toList()))
                .sign(algorithm);

        Map<String, String> tokens = new HashMap<>();
        tokens.put("access_token", access_token);
        tokens.put("refresh_token", refresh_token);
        response.setContentType(APPLICATION_JSON_VALUE);
        new ObjectMapper().writeValue(response.getOutputStream(), tokens);
    }

    @Override
    protected void unsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response, AuthenticationException failed) throws IOException, ServletException {
            ...
            new ObjectMapper().writeValue(response.getOutputStream(), error);
        }
    }
}

Any suggestions are welcome!

Answer 1

By looking at all your custom code I would strongly recommend that you actually read the spring security documentation of the different authentication types that are available and look up the advantages and disadvantages.

And understand that there are security standards for how logins should be built and what you have built is insecure, non-scalable custom made which is very bad practice.

but here is a short recap:

FormLogin

The user authenticates themselves presenting a username and a password. In return, they will get a session cookie that contains a random string but is mapped to a key-value store on the server side.

The cookie is set to httpOnly and httpSecure which means it's harder to steal them and it's not vulnerable to XSS in the browser.

I just want to emphasize the cookie contains a random string, so if you want user information you either return the cookie after login and userinfo in the body or you do an additional call to a user endpoint and fetch user information.

The downside is that this solution does not scale if you want 5 backend servers you need something like Spring Session and set up a store, that stores the session so that it is shared between the backend servers.

Upside, we can just server-side invalidate the cookie whenever we want. We have full control.

oauth2

Well, this is the one most people know about, you want to login, and you are redirected, to an issuer (a different server). You authenticate with that server, the server gives you a temporary token that you can exchange for an opague token.

What is in opague token, well it's just a random text string that the issuer keeps track of.

Now when you want to call your backend you setup your backend as a resource server, that you present the token for in a header. The resource server extracts the token from the header, asks the issuer if the token is valid, and it answers yes or no.

Here you can revoke tokens, by going to the issuer and saying "this token is not valid anymore" and next time the token is presented it will check with the issuer that it is blocked and we are fine.

oauth2 + JWT

Like above but instead of having an opague token, we instead send a JWT to the client. So that, when the JWT has presented the resource server, does not have to ask the issuer if the token is valid. We can instead check the signature using a JWK. With this approach, we have one less call to the issuer to check the validity of the token.

JWT is just a format of a token. Opague token = random string, JWT = signed data in the format of JSON and used as a token.

JWTs were never meant to replace cookies, people just started using them instead of cookies.

But what we loose is the ability to know to revoke tokens. As we don't keep track of the JWTs in the issuer and we don't ask the issuer on each call.

We can reduce the risk here by having tokens that are short-lived. Maybe 5 minutes. But remember ITS STILL A RISK, for 5 mins malicious actors can do damage.

Your solution

If we look at your custom solution, which many people on the internet are building which has many many flaws is that you have built a FormLogin solution that gives out JWTs and hence comes with all the problems of JWTs.

So your token can be stolen in the browser as it does not have the security that comes with cookies. We have no ability to revoke tokens if it gets stolen. It is not scalable and it is custom written which means one bug and the entire application's data is compromised.

So basically all the bad things from the solutions above are combined here into one super bad solution.

My suggestion

You remove all your custom code and look at what type of application you have.

If it is a single server small application, use FormLogin, don't use JWTs at all. Cookies have worked for 20 years and they are still fine. Don't use JWTs just because want to use JWTs.

If you are writing a larger application, use a dedicated authorization server like okta, curity, spring authorization server, keycloak.

Then setup your servers to be resource servers using the built-in resource server functionality that comes with spring security and is documented in the JWT chapter in the docs.

JWTs were from the beginning never meant to be exposed to clients, since you can read everything in them they were meant to be used between servers to minimize calls to issuers because the data is signed so each server could check the signature by themselves.

Then the entire javascript community and lazy developers started writing custom insecure solutions to give out JWTs to the client.

Now everyone just googles a tutorial of spring security with JWT and builds something custom and insecure and then ask on stack overflow when "someone has pointed out that their solution is insecure".

If you are serious about building a secure login read the following:

• Spring security official documentation, chapters formlogin, oauth2, JWT
• The oauth2 specification
• The JWT specification

Curity has good documentation about oauth2 https://curity.io/resources/learn/code-flow/

FormLogin spring https://docs.spring.io/spring-security/reference/servlet/authentication/passwords/form.html

oauth2 spring https://docs.spring.io/spring-security/reference/servlet/oauth2/index.html

configure your application to handle JWTs https://docs.spring.io/spring-security/reference/servlet/oauth2/resource-server/jwt.html

Some pointers about your code

this is completely unneeded. You have overridden a function and then you are calling the default implementation, also think about your languages in your comments.

@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception{ // NO FUCKING IDEA WHAT THIS DOES
    return super.authenticationManagerBean();
}

Also, this entire class can be removed

public class CustomAuthorizationFilter extends OncePerRequestFilter

If you want to handle JWTs and make your server a resource server all you do is as the documentation states https://docs.spring.io/spring-security/reference/servlet/oauth2/resource-server/jwt.html#oauth2resourceserver-jwt-sansboot

@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
    http
        .authorizeHttpRequests(authorize -> authorize
            .anyRequest().authenticated()
        )
        // This line sets up your server to use the built in filter
        // and accept JWT tokens in headers
        .oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt);
    return http.build();
}

you can then setup a JWTDecoder using the built-in Nimbuslibrary that comes with spring security

@Bean
JwtDecoder jwtDecoder() {
    return NimbusJwtDecoder.withJwkSetUri(this.jwkSetUri)
            .jwsAlgorithm(RS512).jwsAlgorithm(ES512).build();
}

Since it's a Bean it will automatically get injected, so we don't have to manually set anything.

http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)

Here you have stated that you want the server to be stateless which means you have disabled cookies as cookies are what the server uses to retain the state from the clients. And then you are trying to implement a custom cookie filter.

Once again, you have to decide, are you going to use FormLogin with cookies, or oauth2 + JWT because now you are doing a mish-mash between.

@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
    auth.userDetailsService(uds).passwordEncoder(bcpe);
}

Is most likely not needed as I assume that both uds and bcpe are beans, components, etc., and will automatically get injected. No need to make something a bean THEN manually set it. You make something a bean so you DON'T have to set it manually. But you are doing both.